+ Targeted de-anonymization attacks constitute a critical class of threats that jeopardize a user's anonymity. + These attacks allow a malicious or partially compromised website (referred to as the “malicious site”) to + ascertain whether a website visitor possesses a specific public identifier, such as an email address or a + social media handle. +
++ While anonymity may be a luxury for some, for certain individuals, it is far more than that—it is a matter + of survival. Consider for instance those who engage in political protests, work as journalists covering + sensitive topics, etc. +
++ As an example, an attacker can privately share a resource with the target for instance using a public + resource sharing service (“victim site”), and then measure side-effects (indicating successful access) + on loading the resource via side-channels. If the logged in visitor can access the embedded resource + successfully, that indicates that the current visit is indeed the intended target. +
++ Specifically, exposing reliable information about the total CPU pressure can let an attacking site + understand if a target of a cross-origin navigation (e.g. an iframe or pop-up window from another site) + performed a CPU-intensive operation. +
++ Techniques such as pop-under and + tab-under can be used to hide the loading + from the user. +
++ One possible attack is that the malicious website opens e.g., a popup to a resource on a victim site + to which the user is logged in (e.g. a video streaming site or online document editor) pointing to a + resource shared with specific users. +
++ Assuming that loading the resource puts increased pressure on the CPU, this would create a side-channel + reveals to the attacking site if the user is logged into an account with access to the resource, + deanonymizing the user. +
++ Given that modern CPUs recover quickly from high pressure, one possible mitigation strategy could be to + temporarily disable readings for a few seconds after loading popup and iframe content. +